"OMG YOU SENT TEH VIRUSESS"

Scott Silva ssilva at SGVWATER.COM
Thu Jun 16 00:57:41 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Matt Kettler said the following on 6/15/2005 4:30 PM:
> Jason Balicki wrote:
> 
>>As an update to this, I received a response today.
>>
>>Does anyone have any ammo I can use in response to
>>this:
>>
>>Begin quote:
>>As for the virus notifications, as pointless as it may seem to you, it's
>>our company policy to attempt to inform possibly infected systems
>>(whether they are forged or not) if they have sent us an infected
>>message and/or spam.  This company policy has proven effective on many
>>occasions over the past 7 years of having internet capable e-mail.  In
>>one such case we alerted a very large public safety organization of a
>>virus breakout on their network.  
>>
>>If our policy is causing grief for your mailing list, let me know which
>>software you are using to manage it, I will personally do the research
>>to show you how to properly filter out these messages.
>>
>>No-where in the RFC for SMTP mail does it cover virus notifications.  In
>>fact, the concept of silently deleting messages that could not be
>>delivered can be construed as contravening the RFC 1123.  Once an SMTP
>>system accepts the message with th 250 (OK) message in response to the
>>DATA command, it has the responsibility of delivering the message or
>>informing the sender (via return-path or from header).  If you can point
>>out a relevant RFC that prohibits these notifications, I will officially
>>turn them off.
> 
> 
> First, I would be greatly interested to hear if the public safety organization
> incident occurred within the past 2 years. It sounds quite typical of something
> which might have happened 5 years ago, but not today.
> 
> Five years ago, virus notices made sense, as nobody had yet invented the forging
> mail worm. Today, nearly all viruses and spam have forged returns.
> 
> Bear in mind that when you detect a virus in a message (modern era, not past)
> you have proved with a great deal of certainty that the return-path and from are
> forged.
> 
> Now you must ask yourself, is it within the spirit of the RFCs to generate
> failure notices directed to addresses which are known to not be the source of
> the email?
> 
> I would suggest a read of RFC 3884 for some general RFC level discussion of this
> topic. This RFC makes general recommendations for any autoresoponder, including
> virus scanners. Section 2 is highly worthwhile reading.
> 
> http://www.faqs.org/rfcs/rfc3834.html
> 
> 
> Although your behavior is not outright prohibited by this RFC, the RFC does
> suggest in section 2 that responders should avoid responding to messages which
> appear malformed, and should take measures to avoid responding to forgeries and
> other activities that allow it to be abused.
> 
> As for RFC 1123, RFC 3834 clearly condones discarding normal responses when a
> responder has good reason to believe the response will be misdirected.
> 
That's great!


-- 

/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list